Forwarding rules for Cloud Service Mesh
Note: This guide only supports Cloud Service Mesh with Google Cloud APIs anddoes not support Istio APIs. For more information see,Cloud Service Mesh overview.This document applies only to Cloud Service Mesh with the load balancing APIs. Westrongly recommend that you use theservice routing APIsto deploy Cloud Service Mesh.
Cloud Service Mesh uses the forwarding rule to determine the target proxy towhich traffic in the mesh is routed.
Each forwarding rule provides a single global IPv4 address for a service. Youcan use that address to create internal DNS records for your service(for example, by using aCloud DNS managed private zone).Metadata filters in the forwarding rule specify the criteria for which anxDS-compliant sidecar proxy receives the configuration.
Note: This page only discusses forwarding rules in the context ofCloud Service Mesh. Forwarding rules are also used to provide forwardinginformation in the control plane forprotocol forwarding,Classic VPN gateways,andGoogle Cloud load balancers.For a more comprehensive overview of forwarding rules, see theCloud Load Balancing forwarding rules overview.For the Cloud Service Mesh control plane, the internal, self-managed, andglobal forwarding rule routes traffic by IP address, port, and protocol to atarget proxy. The target proxy points to a URL map that contains rules thatdetermine the destination of the traffic. The URL map also specifies the defaultbackend service. This backend service specifies a health check and determinesthe appropriate backend, such as a managed instance group (MIG) that containsvirtual machine (VM) instances or anetwork endpoint group (NEG)that contains Google Kubernetes Engine (GKE) backend Pods.
The following diagram shows how a forwarding rule fits into the Cloud Service Mesharchitecture.
Forwarding rule properties
A forwarding rule resource contains the following properties that apply toCloud Service Mesh. The forwarding rule handles traffic that matches thedestination IP address, protocol, and port number.
A0.0.0.0 IP address in a forwarding rule is one of the options whenusing Cloud Service Mesh. A0.0.0.0 IP address means any IP address.
With a proxy deployment, a
0.0.0.0IP address lets a proxy match anyincoming traffic if no other specific match is found.With a proxyless deployment, a
0.0.0.0IP address provides a way to specifythat an IP address is not required. More details follow about using0.0.0.0IP addresses with a target gRPC proxy.
The following table describes forwarding rule properties in more detail.
| Property | Required | Description |
|---|---|---|
name | ✔ | The name of the forwarding rule. The name must be unique in this project, from 1 to 63 characters, and match the regular expression: This means that the first character must be a lowercase letter, and all the following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. |
IPAddress | ✔ | One of the following: IP addresses for Cloud Service Mesh forwarding rules don't need to correspond to IP address ranges of subnets in the Virtual Private Cloud (VPC) network. For a given VPC network, IP address, and port, you can have only one internal, self-managed forwarding rule. For example, in the same VPC network, you cannot create two forwarding rules that use the |
IPAddress with a target gRPC proxy | A forwarding rule that references a target gRPC proxy with the A gRPC client that uses the As a result, Cloud Service Mesh uses the | |
target | ✔ | The target proxy that this forwarding rule directs traffic to. Cloud Service Mesh supports When you use the Google Cloud console to configure the forwarding rule, the target proxy is configured automatically. When you use the Google Cloud CLI or the API, the target proxy must exist before you create your forwarding rule. You can use more than one forwarding rule with a given proxy. |
IPProtocol | ✔ | The type of protocol that this forwarding rule matches. The only supported value isTCP. |
loadBalancingScheme | ✔ | Specifies how the forwarding rule is used. The valid value for Cloud Service Mesh isINTERNAL_SELF_MANAGED. |
portRange | ✔ | A port or a port range joined by a dash. Packets of the specified protocol sent to these ports are forwarded to the appropriate backend. You can specify a single number of a range—for example, For a given VPC network, IP address, and port, you can have only one internal, self-managed forwarding rule. For example, in the same VPC network, you cannot create two forwarding rules that use the With proxyless gRPC services, the port in the forwarding rule is matched with the port specified in the URI that a gRPC application uses to connect to a service. If a port is not specified in the URI, then |
network | ✔ | Specifies the VPC network where the Google Cloud VMs running Envoy proxies are located. The Envoy proxies read the Cloud Service Mesh configuration that you define for the same network where the proxies are deployed. You can use the VPC network named Cloud Service Mesh supports load balancing for clients only within the Google Cloud network. You specify the network name in the forwarding rule. VPC Network Peering isn't supported. |
Add a global forwarding rule
To learn how to configure a forwarding rule within the overallCloud Service Mesh setup with the load balancing APIS, see the following:
- Set up Cloud Service Mesh for Compute Engine VMs with automatic Envoy deployment
- Set up Cloud Service Mesh for Compute Engine VMs with manual Envoy deployment
- Set up Cloud Service Mesh for GKE Pods with automatic Envoy injection
- Set up Cloud Service Mesh for GKE Pods with manual Envoy injection
- Set up Cloud Service Mesh for Compute Engine VMs and proxyless gRPC services
- Set up Cloud Service Mesh for GKE Pods and proxyless gRPC services
What's next
- To use metadata filters to control which sidecar proxies receive theconfiguration attached to the forwarding rule, seeSetting up config filtering based on
MetadataFiltermatch. - To route traffic, seeCloud Service Mesh routing rule maps overview.
- To learn more about Cloud Service Mesh, see theCloud Service Mesh overview.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.